Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
REVISED INVOICE.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
REVISED INVOICE.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Hyperclimax.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Hyperclimax.ps1
Resource
win10v2004-20241007-en
General
-
Target
REVISED INVOICE.exe
-
Size
983KB
-
MD5
8274b1a41b53bf35e0b4330a20010d4c
-
SHA1
0b263f01dd3e10389cd4fe6575d114ea301ee874
-
SHA256
d2320e5704e90bc713c59a0521bacf04ca5751c2481e1dd4e3a95494981d867c
-
SHA512
727ed4fe93c9f0da19df61b81d3f92a9ddc9b6680b2ac841e1ed3ed37bbbe7ecc4a628dfddf31429d2fb5034edd6bc7f742a84f6e76fe7f7401dcd98ea3ec644
-
SSDEEP
12288:KBu+je2mGYUNpeqzfAOKUXWkP/8KYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolxsq8:D+63cWqv3nANr8xAGuwIm/yWiopvC9wG
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
Jc.2o3o@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 46 checkip.dyndns.org -
Drops file in Windows directory 3 IoCs
Processes:
REVISED INVOICE.exedescription ioc process File created C:\Windows\resources\0409\syntonolydian\statsminister.lnk REVISED INVOICE.exe File opened for modification C:\Windows\resources\0409\federalt\Telephonists230.Ube REVISED INVOICE.exe File opened for modification C:\Windows\resources\snagline.sub REVISED INVOICE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
REVISED INVOICE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REVISED INVOICE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Funktionserklringen=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Hyperclimax.Com';$Longers=$Funktionserklringen.SubString(56921,3);.$Longers($Funktionserklringen)"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4372 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵PID:3080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
55KB
MD56ac57b58205d75aee6380c3c6a8ef2a2
SHA1466480b2a43b6c6dd95253849acaafcef82ca2b3
SHA256f79002317d2a561e589e0006dd549d39c71488689ce772b15f84f393926a2786
SHA512ea0dea24679edb7b4d10a62e23d52bf8102338bea90957f27adc92228a54bb0b49bb710b2ed9a159b48eb5ad1a353fdcefb311a2569a82d1bed17f8f4e7782be
-
Filesize
315KB
MD502093bf4e23f0dc4ed17ace33f3071c3
SHA1ff8e59ee5eb06847411f0f11319081acc6510f8c
SHA2562f9c4d11c84da12fc93d685d8a1cf99f0b7c9fe42d50bcd56e08d6e4b2a8014b
SHA51241f9d4a882d570da60724494d64dab81c2cacab90b90b44ce5ae4726bd6dfaabf5c3e6abf358575b3f321b62dbd7fcbc0788c49c135f511e5be7826bda6426ca
-
Filesize
876B
MD5c87ab8bcaa63a6064aa01de3f82668f7
SHA18ec92b2666bb9113d3543c8184fde8a1a09bde4e
SHA256145b6e14ecdf155dbc9c2a7aee435146a08185b9ed97aef56d9ee6768df36eb2
SHA5124e4b7a369f9171e5fad8b0a45f6a358cb3979d84f340c82ef470af81b7c33186ce7747e5b8bf69108e99be5817b48e4bdee967a94717e19d703f49d2a823ccaf